cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Radu
Level 9
Report Inappropriate Content
Message 1 of 9
‎03-30-2023 05:03 AM

WPFT632.CNV

Hi,

We have enabled rule 2844 Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability and triggered lots of blocked event and the error attached. According to KB94876 and update-guide/vulnerability/CVE-2021-40444 from MS, a new rule was created to minimize the false positives and MS fix it under a security update back in November 2021. 

All devices are up to date in terms of MS patches.

1. Is the rule 2844 still needed or replaced by new rule from Trellix KB?

2. If devices are up to date, rule 2844 or new rule still needed?

Thank you

0 Kudos
Reply
8 Replies
Pravas
Employee
Employee
Report Inappropriate Content
Message 2 of 9
‎04-03-2023 10:07 PM

Re: WPFT632.CNV

Hi @Radu ,

Exploit Signature 2844 is useful against known IOCs. However, the rule is considered aggressive and may trigger false detections.

1. Is the rule 2844 still needed or replaced by new rule from Trellix KB?

You're advised to use both rules for the time being. We'll wait for the next Exploit Prevention content release to confirm if the existing rule is replaced.

2. If devices are up to date, rule 2844 or new rule still needed?

Yes, unless you've followed the work-around from Microsoft's page below. Its best to leave it enabled for added security.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
Radu
Level 9
Report Inappropriate Content
Message 3 of 9
‎04-03-2023 11:12 PM

Re: WPFT632.CNV

Hi,

Understood. Is there a way to get rid of that error that is prompting users, we many complains about this.

Thank you.

0 Kudos
Reply
Pravas
Employee
Employee
Report Inappropriate Content
Message 4 of 9
‎04-03-2023 11:42 PM

Re: WPFT632.CNV

Hi @Radu ,

Please share a copy of an event. Please ensure to remove any Personably Identifiable Information like Hostname/IP Address.

Thanks.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
Radu
Level 9
Report Inappropriate Content
Message 5 of 9
‎04-04-2023 12:13 AM

Re: WPFT632.CNV

Hi,

ran CProgram Files\Microsoft OfficerootOffice16WINWORD.EXE, which tried to access the file CProgram FilesMicrosoft OfficerootProgramFilesCommonX64Microsoft SharedTEXTCONVWPFT632.CNV, the rule "Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability", and was blocked. For information about how to respond to this event, see KB85494.
Analyzer  Detector
Analyzer content version 10.6
Product  McAfee Endpoint Security
Analyzer rule  2844
Analyzer rule name Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Product version 10.7
Feature name Exploit Prevention

Threat
Action taken Block
Threat category 'File' class or access
Threat event 18060
Threat handled Yes
Threat name Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Threat severity Critical
Threat type Exploit Prevention

Source
Source description "CProgram FilesMicrosoft OfficeRootOffice16WINWORD.EXE" Automation -Embedding
Source file path CProgram FilesMicrosoft OfficerootOffice16
Source process WINWORD.EXE
Source process signed Yes

Target
Target WPFT632.CNV
Target path CProgram FilesMicrosoft OfficerootProgramFilesCommonX64Microsoft SharedTEXTCONV
Target signed Yes

0 Kudos
Reply
Radu
Level 9
Report Inappropriate Content
Message 6 of 9
‎04-19-2023 11:07 PM

Re: WPFT632.CNV

Hi, 

Any info about the error?

Thank you.

0 Kudos
Reply
Pravas
Employee
Employee
Report Inappropriate Content
Message 7 of 9
‎04-19-2023 11:20 PM

Re: WPFT632.CNV

Hi @Radu ,

Thank you for your patience. Rule ID 2844 description is as follows.

This signature is applicable only on Microsoft Office version 2013 and below as the later versions have been patched by Microsoft. This event indicates an attempt to exploit a vulnerability exists in Microsoft Word that loads WordPerfect5 converter module which contains multiple buffer overflow vulnerabilities.

If the office version is above 2013, then it could be a false positive.

The rule is disabled by default to reduce false alerts.

Incase the detection is reoccurring, please check the following.

1. Does it trigger the rule just by launching  Word?

2. Could it be file specific, meaning it only triggers with a certain file/operation?

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
Radu
Level 9
Report Inappropriate Content
Message 8 of 9
‎04-20-2023 12:50 AM

Re: WPFT632.CNV

Hi,

Office version: 2016

1. Does it trigger the rule just by launching  Word?

Yes

2. Could it be file specific, meaning it only triggers with a certain file/operation?

Using word.

If 2844 rule is intended for Office 2013, can i disabled it then, assuming that devices are using up to date MS patches?

Thank you.

0 Kudos
Reply
Pravas
Employee
Employee
Report Inappropriate Content
Message 9 of 9
‎04-20-2023 01:49 AM

Re: WPFT632.CNV

Hi @Radu ,

The Rule was originally written to address the following vulnerabilities.

CVE-2013-1324
CVE-2013-1325
CVE-2013-0082

These should have been addressed by MS on Office 2016 as the last version affected by this vulnerability was MS Office 2013

Source - https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-091

I would suggest to try the following.

*Try this on one affected system.

1. Run Getsusp

https://www.trellix.com/en-us/downloads/free-tools/getsusp.html

2. Run Stinger

https://www.trellix.com/en-us/downloads/free-tools/stinger.html

3. Then uncheck the rule for this particular system and monitor

If everything looks good. Then the rule can be gradually disabled for other affected systems.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC